Features

Active Directory Delegation

Active Directory management involves many different operations that require administrative
privileges granted by default to AD administrators only. Though operations like
password reset or account unlock are pretty simple, they take a lot of time of
highly-skilled IT staff, not allowing them to focus on more complex and important
issues. Active Directory delegation helps you optimize the productivity
of the IT department by letting non-administrative users (e.g. department managers
or Help Desk operators) perform certain administrative activities in Active Directory.

Active Directory delegation helps you significantly enhance the security of the
environment, decentralize Active Directory administration, and successfully address
the administrative needs of the organization, making
Active Directory management more efficient
and cost-effective.

Native Active Directory Delegation

The native Active Directory delegation model has a number of disadvantages that
prevent you from taking a granular approach to the delegation of rights in Active
Directory. Since there is no central place to store permissions, Active Directory
delegation introduces a rather tedious and error-prone manual maintenance of multiple
ACLs across Active Directory and makes it rather challenging to control what permissions
and privileges are granted to users. This lack of control often results in many
users having administrative access that is not necessary for performing their job functions,
thus creating various security threats and causing audit failures.

Another major disadvantage of the native Active Directory delegation model is the
lack of the ability to grant user access based on the job function. To provide the
permissions necessary to perform a certain job role, administrators have to manually
assign multiple sets of various rights across a large set of objects in Active Directory.
It is even more difficult to revoke all unnecessary privileges from the users whose
responsibilities or the role in the organization have changed. Such an approach allows
much room for errors and omissions that often result in users either not having
the permissions they need, or having elevated administrative privileges they don't
need.

Role-Based Approach to Active Directory Delegation

Adaxes brings Active Directory delegation to a higher level by introducing the particularly
effective and proven role-based access control model. Role-based administration
allows you to delegate responsibilities based on business functions and administrative
scopes in a centralized manner. Using administrative security roles you can easily
delegate multiple permissions to and subsequently revoke delegated privileges from
multiple users performing the same job function without modification of native Active
Directory permissions. As access rights are managed centrally, you can efficiently
control who has what permissions on what resources in Active Directory.

All permissions necessary to perform a certain job function are aggregated into
Security Roles that are assigned to users in accordance with their job role in the
organization. For example, administrative duties related to user account support
(e.g. password reset, unlock accounts, rename users) are usually assigned to a specific
set of technicians for a specific collection of user accounts. By defining a Security
Role called Help Desk, you can associate with that role a set of permissions necessary
to provide account support. You can then assign this role to various users and groups
over different scopes of influence within the organization. To grant or revoke privileges
for all users performing the Help Desk role, you simply need to modify the set of
permissions assigned to that role.

Scope of Active Directory Delegation

One of the well-known limitations of the native Active Directory delegation model
is that it allows you to delegate permissions with a scope limited to either entire
AD domain or a specific Organizational Unit. But what if you need to allow your
Help Desk staff to perform the delegated activities on all members of the Sales
department that are spread across multiple OUs or AD domains? Or what to do if members
of all departments are located in one and the same OU, but you want to delegate
permissions on the members of the Sales department only?

Adaxes facilitates Active Directory delegation by enabling a more granular and accurate
assignment of rights by allowing you to delegate permissions over all objects in
one or several AD domains, objects located under specific OUs, members of AD groups,
specific AD objects, and members of virtual OUs called Business Units.

Using Business Units for the distribution of administrative rights significantly
facilitates Active Directory delegation, as Business Units can include Active Directory
objects located in different OUs, AD domains and even forests. For example, you
may need to delegate administrative rights to Help Desk technicians on all users
from the Sales department that are spread across multiple AD locations. For this
purpose, you can define a Business Unit that includes all users whose Department
property is set to 'Sales', and assign the Help Desk role to a group of technicians
over the members of that Business Unit.

Moreover, the scope where users can apply their permissions can include the objects managed by
them or their direct reports. For example, if you want to allow managers to manage the accounts of
their direct reports, you need to assign a Security Role to Manager. Or, if you want to
delegate certain permissions for an AD object to the user who manages the object, you need to
grant the permissions to Owner (Managed By). Once a manager changes, the permissions will
be revoked and granted to the new manager automatically, which saves you the effort of reassigning
permissions manually.

Active Directory Delegation with Approvals

Adaxes makes Active Directory delegation even more secure and compliant, as it allows
you to control how the delegated activities are carried out. Adaxes can be configured
to perform certain operations in Active Directory only after an approval is given
by an authorized person. It is also possible to specify conditions that must be
met for an operation to require an approval. For example, an approval for user deletion
can be requested only if the operation is performed by a member of the Junior Administrators
group, or the user account is not located under the Terminated Employees organizational
unit.

The role-based security model provided by Softerra Adaxes significantly facilitates
Active Directory delegation as it enables granular assignment of administrative
permissions based on job roles, eliminating the need to manually modify multiple
ACLs across Active Directory. As all permissions are stored in a central location,
you can easily track and monitor the delegated rights across AD domains. Flexible
assignment of security roles helps you ensure that all users have the least privileges
necessary to perform their job function.